Thousands of code repositories were found exposed in over one hundred Docker registries that are accessible from the Internet without authentication, Palo Alto Network reports.
Containing critical business data such as application source code and historical versions, these registries could put an organization’s entire cloud infrastructure at risk. Exposure could result in stolen proprietary intellectual property, hijacked operation critical data, or malicious code being injected.
Docker registries are servers where Docker images are stored and organized into repositories, with each repo containing images of one application and multiple versions of the application, each with a unique tag. Docker registries include support for three primary operations: pushing, pulling, and deleting images.
Of 941 Docker registries found to be exposed to the Internet, 117 do not require authentication, Palo Alto Networks’ security researchers say. Of the misconfigured registries, 80 allow the pull operation, 92 the push operation, and 7 the delete operation.
With some of these registries containing over 50 repositories and 100 tags, the security researchers identified a total of 2,956 applications and 15,887 application versions exposed.
The security researchers managed to attribute a quarter of the unsecured registries through reverse DNS lookup or cnames in the TLS certificates (without accessing the exposed images). The registries belong to research institutes, retailers, news media organizations, and technology companies.
“With all the source code and historical tags, malicious actors can design tailored exploits to compromise the systems. If the push operation is allowed, benign application images may be replaced with images with backdoors. These registries may also be used for hosting malware. If the delete operation is allowed, hackers could encrypt or delete the images and ask for ransom,” they note note in a blog post.
The issue, Palo Alto Networks says, has broader implications, as each registry is typically accessed by multiple clients, meaning that all the clients that pull and run images become vulnerable to compromise.
Setting up a Docker registry server is straightforward, but extra configurations are required to ensure communications are secured and access control is enforced. However, without proper access control, registry services exposed to the Internet become a risk.
Most cloud service providers, the network security firm points out, offer managed registry services, and customers also get additional features when choosing cloud-based registries, including a GUI user interface, vulnerability scanning, and integrated access control, to simplify registry management.
“A misconfigured Docker registry could leak confidential data, lead to a full-scale compromise, and interrupt the business operations. The remediation strategy for this particular misconfiguration is straightforward, such as adding a firewall rule to prevent the registry from being accessed from the internet and enforcing authentication header in all the API requests,” Palo Alto concludes.
Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts
Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies